updpwd AVC

Dominick Grift dominick.grift at gmail.com
Tue Sep 27 17:18:49 UTC 2011 

On Tue, 2011-09-27 at 16:26 +0100, Tony Molloy wrote:
> On Monday 26 September 2011 22:22:31 Dominick Grift wrote:
> 
> > On Mon, 2011-09-26 at 15:00 +0100, Tony Molloy wrote:
> 
> > > Hi,
> 
> > > 
> 
> > > 
> 
> > > On a fully updated CentOS 5.7 box I get the following AVC
> 
> > > 
> 
> > > 
> 
> > > Summary:
> 
> > > 
> 
> > > 
> 
> > > SELinux is preventing unix_update (updpwd_t) "getattr" to /
> 
> > > (fs_t).
> 
> > > 
> 
> > > 
> 
> > > Detailed Description:
> 
> > > 
> 
> > > 
> 
> > > SELinux denied access requested by unix_update. It is not
> 
> > > expected that this
> 
> > > 
> 
> > > access is required by unix_update and this access may signal an
> 
> > > intrusion
> 
> > > 
> 
> > > attempt. It is also possible that the specific version or
> 
> > > configuration of the
> 
> > > 
> 
> > > application is causing it to require additional access.
> 
> > > 
> 
> > > 
> 
> > > Allowing Access:
> 
> > > 
> 
> > > 
> 
> > > You can generate a local policy module to allow this access - see
> 
> > > FAQ
> 
> > > 
> 
> > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you
> 
> > > can disable
> 
> > > 
> 
> > > SELinux protection altogether. Disabling SELinux protection is
> 
> > > not recommended.
> 
> > > 
> 
> > > Please file a bug report
> 
> > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> 
> > > 
> 
> > > against this package.
> 
> > > 
> 
> > > 
> 
> > > Additional Information:
> 
> > > 
> 
> > > 
> 
> > > Source Context system_u:system_r:updpwd_t
> 
> > > 
> 
> > > Target Context system_u:object_r:fs_t
> 
> > > 
> 
> > > Target Objects / [ filesystem ]
> 
> > > 
> 
> > > Source unix_update
> 
> > > 
> 
> > > Source Path <Unknown>
> 
> > > 
> 
> > > Port <Unknown>
> 
> > > 
> 
> > > Host a.b.c.d
> 
> > > 
> 
> > > Source RPM Packages
> 
> > > 
> 
> > > Target RPM Packages filesystem-2.4.0-3.el5.centos
> 
> > > 
> 
> > > Policy RPM selinux-policy-2.4.6-316.el5
> 
> > > 
> 
> > > Selinux Enabled True
> 
> > > 
> 
> > > Policy Type targeted
> 
> > > 
> 
> > > MLS Enabled True
> 
> > > 
> 
> > > Enforcing Mode Enforcing
> 
> > > 
> 
> > > Plugin Name catchall
> 
> > > 
> 
> > > Host Name a.b.c.d
> 
> > > 
> 
> > > Platform Linuxl a.b.c.d 2.6.18-274.3.1.el5
> 
> > > 
> 
> > > #1 SMP Tue Sep 6 20:13:52 EDT 2011 x86_64 x86_64
> 
> > > 
> 
> > > Alert Count 11
> 
> > > 
> 
> > > First Seen Fri Feb 25 15:39:33 2011
> 
> > > 
> 
> > > Last Seen Mon Sep 26 14:18:54 2011
> 
> > > 
> 
> > > Local ID 275eef01-114a-419b-9df0-4bb81932bc5e
> 
> > > 
> 
> > > Line Numbers
> 
> > > 
> 
> > > 
> 
> > > Raw Audit Messages
> 
> > > 
> 
> > > 
> 
> > > host=a.b.c.d type=AVC msg=audit(1317043134.620:3620): avc: denied
> 
> > > { getattr } for pid=21354 comm="unix_update" name="/" dev=sda5
> 
> > > ino=2 scontext=system_u:system_r:updpwd_t:s0
> 
> > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> > > 
> 
> > > 
> 
> > > 
> 
> > > I can generate a local policy module.
> 
> > 
> 
> > Any idea what you were doing when this happened? The reason i ask
> 
> > is because this is not even allowed in latest fedora as far as i
> 
> > can see.
> 
> > 
> 
> 
> This machine is basically a mail and ftp server. As far as I can tell
> from the logs ( secure and messages ) nobody was doing anything on the
> machine at the times I get the AVC, 5 times yesterday.
> 
> 
> > It is no big deal to allow updpwd_t to get attributes of the fs_t
> 
> > filesystem but it is certainly not common for updpwd_t to want this
> 
> > access i believe. If it was we probably would have gotten may more
> 
> > reports much earlier.
> 
> > 
> 
> 
> Strange then that I am getting it from this one server only.
> 
> 
> Here's the context for unix_update
> 
> 
> -rwx------ root root system_u:object_r:updpwd_exec_t /sbin/unix_update
> 
> 
> I've just run an autorelabel on the entire filesystem as part of the
> 5.6 to 5.7 CentOS update

See if you can reproduce it

> 
> Thanks,
> 
> 
> Tony
> 
> 
> > > Thanks,
> 
> > > 
> 
> > > 
> 
> > > Tony
> 
> > > 
> 
> > > --
> 
> > > selinux mailing list
> 
> > > selinux at lists.fedoraproject.org
> 
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110927/bd60e681/attachment.bin

More information about the selinux mailing list